Date
Dec. 4, 2024, 3:07 p.m.
| Environment | |
|---|---|
| qemu-arm64 | |
| qemu-x86_64 |
[ 32.500452] ================================================================== [ 32.501762] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x3f4/0x468 [ 32.502643] Read of size 1 at addr fff00000c6743e28 by task kunit_try_catch/176 [ 32.503349] [ 32.504500] CPU: 1 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 32.506346] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.507233] Hardware name: linux,dummy-virt (DT) [ 32.508239] Call trace: [ 32.509003] show_stack+0x20/0x38 (C) [ 32.509607] dump_stack_lvl+0x8c/0xd0 [ 32.510315] print_report+0x118/0x5e0 [ 32.511354] kasan_report+0xc8/0x118 [ 32.512026] __asan_report_load1_noabort+0x20/0x30 [ 32.512680] kmalloc_uaf2+0x3f4/0x468 [ 32.513322] kunit_try_run_case+0x14c/0x3d0 [ 32.514036] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.514784] kthread+0x24c/0x2d0 [ 32.515375] ret_from_fork+0x10/0x20 [ 32.515895] [ 32.516252] Allocated by task 176: [ 32.516871] kasan_save_stack+0x3c/0x68 [ 32.517396] kasan_save_track+0x20/0x40 [ 32.518149] kasan_save_alloc_info+0x40/0x58 [ 32.519046] __kasan_kmalloc+0xd4/0xd8 [ 32.519668] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.520522] kmalloc_uaf2+0xc4/0x468 [ 32.521026] kunit_try_run_case+0x14c/0x3d0 [ 32.521831] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.522770] kthread+0x24c/0x2d0 [ 32.523292] ret_from_fork+0x10/0x20 [ 32.523907] [ 32.524266] Freed by task 176: [ 32.524793] kasan_save_stack+0x3c/0x68 [ 32.525304] kasan_save_track+0x20/0x40 [ 32.526058] kasan_save_free_info+0x4c/0x78 [ 32.526745] __kasan_slab_free+0x6c/0x98 [ 32.527444] kfree+0x114/0x3c8 [ 32.528009] kmalloc_uaf2+0x134/0x468 [ 32.528539] kunit_try_run_case+0x14c/0x3d0 [ 32.529113] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.530024] kthread+0x24c/0x2d0 [ 32.530454] ret_from_fork+0x10/0x20 [ 32.531119] [ 32.531513] The buggy address belongs to the object at fff00000c6743e00 [ 32.531513] which belongs to the cache kmalloc-64 of size 64 [ 32.532969] The buggy address is located 40 bytes inside of [ 32.532969] freed 64-byte region [fff00000c6743e00, fff00000c6743e40) [ 32.534448] [ 32.534780] The buggy address belongs to the physical page: [ 32.535562] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106743 [ 32.536508] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.537418] page_type: f5(slab) [ 32.537924] raw: 0bfffe0000000000 fff00000c00018c0 dead000000000122 0000000000000000 [ 32.538843] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 32.539822] page dumped because: kasan: bad access detected [ 32.540588] [ 32.541002] Memory state around the buggy address: [ 32.541547] fff00000c6743d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.542541] fff00000c6743d80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.543364] >fff00000c6743e00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.544302] ^ [ 32.545001] fff00000c6743e80: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 32.545951] fff00000c6743f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.546957] ================================================================== [ 31.919259] ================================================================== [ 31.920507] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x3bc/0x438 [ 31.921435] Read of size 16 at addr fff00000c6153d60 by task kunit_try_catch/156 [ 31.922458] [ 31.922958] CPU: 1 UID: 0 PID: 156 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 31.925428] Tainted: [B]=BAD_PAGE, [N]=TEST [ 31.926654] Hardware name: linux,dummy-virt (DT) [ 31.927331] Call trace: [ 31.927860] show_stack+0x20/0x38 (C) [ 31.928383] dump_stack_lvl+0x8c/0xd0 [ 31.929060] print_report+0x118/0x5e0 [ 31.929562] kasan_report+0xc8/0x118 [ 31.930452] __asan_report_load16_noabort+0x20/0x30 [ 31.931143] kmalloc_uaf_16+0x3bc/0x438 [ 31.931785] kunit_try_run_case+0x14c/0x3d0 [ 31.932380] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.933168] kthread+0x24c/0x2d0 [ 31.933655] ret_from_fork+0x10/0x20 [ 31.934320] [ 31.934986] Allocated by task 156: [ 31.935798] kasan_save_stack+0x3c/0x68 [ 31.936477] kasan_save_track+0x20/0x40 [ 31.937281] kasan_save_alloc_info+0x40/0x58 [ 31.938303] __kasan_kmalloc+0xd4/0xd8 [ 31.939001] __kmalloc_cache_noprof+0x15c/0x3c0 [ 31.939817] kmalloc_uaf_16+0x140/0x438 [ 31.940494] kunit_try_run_case+0x14c/0x3d0 [ 31.941140] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.942487] kthread+0x24c/0x2d0 [ 31.943475] ret_from_fork+0x10/0x20 [ 31.943889] [ 31.944136] Freed by task 156: [ 31.944805] kasan_save_stack+0x3c/0x68 [ 31.945399] kasan_save_track+0x20/0x40 [ 31.946731] kasan_save_free_info+0x4c/0x78 [ 31.947386] __kasan_slab_free+0x6c/0x98 [ 31.947969] kfree+0x114/0x3c8 [ 31.948434] kmalloc_uaf_16+0x190/0x438 [ 31.949043] kunit_try_run_case+0x14c/0x3d0 [ 31.949657] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 31.950899] kthread+0x24c/0x2d0 [ 31.951731] ret_from_fork+0x10/0x20 [ 31.952385] [ 31.952759] The buggy address belongs to the object at fff00000c6153d60 [ 31.952759] which belongs to the cache kmalloc-16 of size 16 [ 31.954651] The buggy address is located 0 bytes inside of [ 31.954651] freed 16-byte region [fff00000c6153d60, fff00000c6153d70) [ 31.956009] [ 31.956341] The buggy address belongs to the physical page: [ 31.957091] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106153 [ 31.958377] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 31.959381] page_type: f5(slab) [ 31.959898] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 31.961093] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 31.962372] page dumped because: kasan: bad access detected [ 31.964202] [ 31.964545] Memory state around the buggy address: [ 31.965082] fff00000c6153c00: fa fb fc fc 00 02 fc fc fa fb fc fc fa fb fc fc [ 31.966355] fff00000c6153c80: fa fb fc fc fa fb fc fc fa fb fc fc 00 04 fc fc [ 31.968699] >fff00000c6153d00: fa fb fc fc fa fb fc fc 00 00 fc fc fa fb fc fc [ 31.969469] ^ [ 31.970552] fff00000c6153d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.971584] fff00000c6153e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.972462] ================================================================== [ 32.373130] ================================================================== [ 32.374483] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x300/0x338 [ 32.375357] Read of size 1 at addr fff00000c5b31d08 by task kunit_try_catch/172 [ 32.376583] [ 32.377009] CPU: 0 UID: 0 PID: 172 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 32.379244] Tainted: [B]=BAD_PAGE, [N]=TEST [ 32.379801] Hardware name: linux,dummy-virt (DT) [ 32.380416] Call trace: [ 32.380891] show_stack+0x20/0x38 (C) [ 32.381576] dump_stack_lvl+0x8c/0xd0 [ 32.382767] print_report+0x118/0x5e0 [ 32.383334] kasan_report+0xc8/0x118 [ 32.384018] __asan_report_load1_noabort+0x20/0x30 [ 32.384782] kmalloc_uaf+0x300/0x338 [ 32.385432] kunit_try_run_case+0x14c/0x3d0 [ 32.386600] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.387368] kthread+0x24c/0x2d0 [ 32.387920] ret_from_fork+0x10/0x20 [ 32.388662] [ 32.389021] Allocated by task 172: [ 32.389571] kasan_save_stack+0x3c/0x68 [ 32.390858] kasan_save_track+0x20/0x40 [ 32.391604] kasan_save_alloc_info+0x40/0x58 [ 32.392240] __kasan_kmalloc+0xd4/0xd8 [ 32.392798] __kmalloc_cache_noprof+0x15c/0x3c0 [ 32.393522] kmalloc_uaf+0xb8/0x338 [ 32.394290] kunit_try_run_case+0x14c/0x3d0 [ 32.395217] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.396215] kthread+0x24c/0x2d0 [ 32.396675] ret_from_fork+0x10/0x20 [ 32.397259] [ 32.397543] Freed by task 172: [ 32.398184] kasan_save_stack+0x3c/0x68 [ 32.399269] kasan_save_track+0x20/0x40 [ 32.400310] kasan_save_free_info+0x4c/0x78 [ 32.400980] __kasan_slab_free+0x6c/0x98 [ 32.401683] kfree+0x114/0x3c8 [ 32.402165] kmalloc_uaf+0x11c/0x338 [ 32.403192] kunit_try_run_case+0x14c/0x3d0 [ 32.403918] kunit_generic_run_threadfn_adapter+0x88/0x100 [ 32.404554] kthread+0x24c/0x2d0 [ 32.405176] ret_from_fork+0x10/0x20 [ 32.406045] [ 32.406483] The buggy address belongs to the object at fff00000c5b31d00 [ 32.406483] which belongs to the cache kmalloc-16 of size 16 [ 32.408098] The buggy address is located 8 bytes inside of [ 32.408098] freed 16-byte region [fff00000c5b31d00, fff00000c5b31d10) [ 32.409515] [ 32.409897] The buggy address belongs to the physical page: [ 32.410702] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105b31 [ 32.412383] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 32.413320] page_type: f5(slab) [ 32.413907] raw: 0bfffe0000000000 fff00000c0001640 dead000000000122 0000000000000000 [ 32.415183] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 32.416271] page dumped because: kasan: bad access detected [ 32.416968] [ 32.417294] Memory state around the buggy address: [ 32.418572] fff00000c5b31c00: 00 06 fc fc 00 06 fc fc fa fb fc fc 00 06 fc fc [ 32.419486] fff00000c5b31c80: 00 06 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 32.420462] >fff00000c5b31d00: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.421324] ^ [ 32.421931] fff00000c5b31d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.422998] fff00000c5b31e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 32.423841] ==================================================================
[ 23.320155] ================================================================== [ 23.321800] BUG: KASAN: slab-use-after-free in kmalloc_uaf2+0x4aa/0x520 [ 23.322973] Read of size 1 at addr ffff88810298a8a8 by task kunit_try_catch/196 [ 23.324278] [ 23.324525] CPU: 1 UID: 0 PID: 196 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 23.325718] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.326084] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.326854] Call Trace: [ 23.327092] <TASK> [ 23.327410] dump_stack_lvl+0x73/0xb0 [ 23.327802] print_report+0xd1/0x640 [ 23.328308] ? __virt_addr_valid+0x1db/0x2d0 [ 23.328732] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.329336] kasan_report+0x102/0x140 [ 23.329700] ? kmalloc_uaf2+0x4aa/0x520 [ 23.330173] ? kmalloc_uaf2+0x4aa/0x520 [ 23.330590] __asan_report_load1_noabort+0x18/0x20 [ 23.331134] kmalloc_uaf2+0x4aa/0x520 [ 23.331643] ? __pfx_kmalloc_uaf2+0x10/0x10 [ 23.332049] ? finish_task_switch.isra.0+0x153/0x700 [ 23.332591] ? __switch_to+0x5d9/0xf60 [ 23.332938] ? __schedule+0xc3e/0x2790 [ 23.333494] ? __pfx_read_tsc+0x10/0x10 [ 23.333909] ? ktime_get_ts64+0x86/0x230 [ 23.334306] kunit_try_run_case+0x1b3/0x490 [ 23.334663] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.335235] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.335863] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.336469] ? __kthread_parkme+0x82/0x160 [ 23.336906] ? preempt_count_sub+0x50/0x80 [ 23.337227] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.337680] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.338497] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.339122] kthread+0x257/0x310 [ 23.339499] ? __pfx_kthread+0x10/0x10 [ 23.339780] ret_from_fork+0x41/0x80 [ 23.340227] ? __pfx_kthread+0x10/0x10 [ 23.340755] ret_from_fork_asm+0x1a/0x30 [ 23.341269] </TASK> [ 23.341586] [ 23.341741] Allocated by task 196: [ 23.342092] kasan_save_stack+0x3d/0x60 [ 23.342561] kasan_save_track+0x18/0x40 [ 23.343083] kasan_save_alloc_info+0x3b/0x50 [ 23.343488] __kasan_kmalloc+0xb7/0xc0 [ 23.343961] __kmalloc_cache_noprof+0x184/0x410 [ 23.344427] kmalloc_uaf2+0xc7/0x520 [ 23.344802] kunit_try_run_case+0x1b3/0x490 [ 23.345142] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.345775] kthread+0x257/0x310 [ 23.346144] ret_from_fork+0x41/0x80 [ 23.346484] ret_from_fork_asm+0x1a/0x30 [ 23.346937] [ 23.347173] Freed by task 196: [ 23.347628] kasan_save_stack+0x3d/0x60 [ 23.347916] kasan_save_track+0x18/0x40 [ 23.348211] kasan_save_free_info+0x3f/0x60 [ 23.348652] __kasan_slab_free+0x56/0x70 [ 23.349161] kfree+0x123/0x3f0 [ 23.349646] kmalloc_uaf2+0x14d/0x520 [ 23.350032] kunit_try_run_case+0x1b3/0x490 [ 23.350324] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.351960] kthread+0x257/0x310 [ 23.352578] ret_from_fork+0x41/0x80 [ 23.353237] ret_from_fork_asm+0x1a/0x30 [ 23.353617] [ 23.354036] The buggy address belongs to the object at ffff88810298a880 [ 23.354036] which belongs to the cache kmalloc-64 of size 64 [ 23.355645] The buggy address is located 40 bytes inside of [ 23.355645] freed 64-byte region [ffff88810298a880, ffff88810298a8c0) [ 23.357007] [ 23.357184] The buggy address belongs to the physical page: [ 23.358092] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10298a [ 23.358764] flags: 0x200000000000000(node=0|zone=2) [ 23.359235] page_type: f5(slab) [ 23.359573] raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 [ 23.360623] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 [ 23.361336] page dumped because: kasan: bad access detected [ 23.361974] [ 23.362200] Memory state around the buggy address: [ 23.362716] ffff88810298a780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.363162] ffff88810298a800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.363852] >ffff88810298a880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 23.364559] ^ [ 23.364959] ffff88810298a900: 00 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc [ 23.365634] ffff88810298a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.366222] ================================================================== [ 22.734441] ================================================================== [ 22.735705] BUG: KASAN: slab-use-after-free in kmalloc_uaf_16+0x47d/0x4c0 [ 22.737128] Read of size 16 at addr ffff888101adf0c0 by task kunit_try_catch/176 [ 22.738271] [ 22.739078] CPU: 0 UID: 0 PID: 176 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 22.740263] Tainted: [B]=BAD_PAGE, [N]=TEST [ 22.740804] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 22.742118] Call Trace: [ 22.742375] <TASK> [ 22.742686] dump_stack_lvl+0x73/0xb0 [ 22.743604] print_report+0xd1/0x640 [ 22.744495] ? __virt_addr_valid+0x1db/0x2d0 [ 22.744962] ? kasan_complete_mode_report_info+0x64/0x200 [ 22.745987] kasan_report+0x102/0x140 [ 22.746343] ? kmalloc_uaf_16+0x47d/0x4c0 [ 22.747169] ? kmalloc_uaf_16+0x47d/0x4c0 [ 22.748123] __asan_report_load16_noabort+0x18/0x20 [ 22.748703] kmalloc_uaf_16+0x47d/0x4c0 [ 22.749117] ? __pfx_kmalloc_uaf_16+0x10/0x10 [ 22.749942] ? __schedule+0xc3e/0x2790 [ 22.751086] ? __pfx_read_tsc+0x10/0x10 [ 22.751628] ? ktime_get_ts64+0x86/0x230 [ 22.752055] kunit_try_run_case+0x1b3/0x490 [ 22.752848] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.753687] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 22.754161] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 22.755427] ? __kthread_parkme+0x82/0x160 [ 22.755804] ? preempt_count_sub+0x50/0x80 [ 22.756242] ? __pfx_kunit_try_run_case+0x10/0x10 [ 22.757371] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 22.757911] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.758752] kthread+0x257/0x310 [ 22.759118] ? __pfx_kthread+0x10/0x10 [ 22.760175] ret_from_fork+0x41/0x80 [ 22.760843] ? __pfx_kthread+0x10/0x10 [ 22.761169] ret_from_fork_asm+0x1a/0x30 [ 22.761703] </TASK> [ 22.761977] [ 22.762182] Allocated by task 176: [ 22.762979] kasan_save_stack+0x3d/0x60 [ 22.763281] kasan_save_track+0x18/0x40 [ 22.763957] kasan_save_alloc_info+0x3b/0x50 [ 22.764951] __kasan_kmalloc+0xb7/0xc0 [ 22.765359] __kmalloc_cache_noprof+0x184/0x410 [ 22.765981] kmalloc_uaf_16+0x15c/0x4c0 [ 22.766490] kunit_try_run_case+0x1b3/0x490 [ 22.766939] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.768298] kthread+0x257/0x310 [ 22.768898] ret_from_fork+0x41/0x80 [ 22.769679] ret_from_fork_asm+0x1a/0x30 [ 22.770226] [ 22.770943] Freed by task 176: [ 22.771578] kasan_save_stack+0x3d/0x60 [ 22.771985] kasan_save_track+0x18/0x40 [ 22.772522] kasan_save_free_info+0x3f/0x60 [ 22.772977] __kasan_slab_free+0x56/0x70 [ 22.773973] kfree+0x123/0x3f0 [ 22.774279] kmalloc_uaf_16+0x1d7/0x4c0 [ 22.774969] kunit_try_run_case+0x1b3/0x490 [ 22.776188] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 22.777040] kthread+0x257/0x310 [ 22.777992] ret_from_fork+0x41/0x80 [ 22.778628] ret_from_fork_asm+0x1a/0x30 [ 22.778848] [ 22.779172] The buggy address belongs to the object at ffff888101adf0c0 [ 22.779172] which belongs to the cache kmalloc-16 of size 16 [ 22.781331] The buggy address is located 0 bytes inside of [ 22.781331] freed 16-byte region [ffff888101adf0c0, ffff888101adf0d0) [ 22.782667] [ 22.782949] The buggy address belongs to the physical page: [ 22.783847] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101adf [ 22.784866] flags: 0x200000000000000(node=0|zone=2) [ 22.785728] page_type: f5(slab) [ 22.785975] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 22.787479] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 22.788214] page dumped because: kasan: bad access detected [ 22.788802] [ 22.789435] Memory state around the buggy address: [ 22.790279] ffff888101adef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.791152] ffff888101adf000: fa fb fc fc 00 04 fc fc 00 05 fc fc fa fb fc fc [ 22.792110] >ffff888101adf080: fa fb fc fc 00 00 fc fc fa fb fc fc fc fc fc fc [ 22.793256] ^ [ 22.794217] ffff888101adf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.795786] ffff888101adf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 22.796539] ================================================================== [ 23.192972] ================================================================== [ 23.194781] BUG: KASAN: slab-use-after-free in kmalloc_uaf+0x322/0x380 [ 23.195657] Read of size 1 at addr ffff888102795328 by task kunit_try_catch/192 [ 23.197011] [ 23.197290] CPU: 1 UID: 0 PID: 192 Comm: kunit_try_catch Tainted: G B N 6.13.0-rc1-next-20241204 #1 [ 23.198953] Tainted: [B]=BAD_PAGE, [N]=TEST [ 23.199697] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 23.200352] Call Trace: [ 23.200719] <TASK> [ 23.201089] dump_stack_lvl+0x73/0xb0 [ 23.201475] print_report+0xd1/0x640 [ 23.202503] ? __virt_addr_valid+0x1db/0x2d0 [ 23.203205] ? kasan_complete_mode_report_info+0x64/0x200 [ 23.203859] kasan_report+0x102/0x140 [ 23.204667] ? kmalloc_uaf+0x322/0x380 [ 23.205173] ? kmalloc_uaf+0x322/0x380 [ 23.206003] __asan_report_load1_noabort+0x18/0x20 [ 23.206887] kmalloc_uaf+0x322/0x380 [ 23.207329] ? __pfx_kmalloc_uaf+0x10/0x10 [ 23.207579] ? __schedule+0xc3e/0x2790 [ 23.207773] ? __pfx_read_tsc+0x10/0x10 [ 23.208475] ? ktime_get_ts64+0x86/0x230 [ 23.209372] kunit_try_run_case+0x1b3/0x490 [ 23.210082] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.211196] ? _raw_spin_lock_irqsave+0xa2/0x110 [ 23.212243] ? _raw_spin_unlock_irqrestore+0x5f/0x90 [ 23.213286] ? __kthread_parkme+0x82/0x160 [ 23.213768] ? preempt_count_sub+0x50/0x80 [ 23.214076] ? __pfx_kunit_try_run_case+0x10/0x10 [ 23.214694] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [ 23.216021] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.217253] kthread+0x257/0x310 [ 23.217839] ? __pfx_kthread+0x10/0x10 [ 23.218623] ret_from_fork+0x41/0x80 [ 23.219363] ? __pfx_kthread+0x10/0x10 [ 23.220164] ret_from_fork_asm+0x1a/0x30 [ 23.221080] </TASK> [ 23.221588] [ 23.221769] Allocated by task 192: [ 23.222024] kasan_save_stack+0x3d/0x60 [ 23.222501] kasan_save_track+0x18/0x40 [ 23.222749] kasan_save_alloc_info+0x3b/0x50 [ 23.223317] __kasan_kmalloc+0xb7/0xc0 [ 23.224053] __kmalloc_cache_noprof+0x184/0x410 [ 23.225018] kmalloc_uaf+0xab/0x380 [ 23.225843] kunit_try_run_case+0x1b3/0x490 [ 23.226594] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.227738] kthread+0x257/0x310 [ 23.228049] ret_from_fork+0x41/0x80 [ 23.228327] ret_from_fork_asm+0x1a/0x30 [ 23.228835] [ 23.229270] Freed by task 192: [ 23.229564] kasan_save_stack+0x3d/0x60 [ 23.230658] kasan_save_track+0x18/0x40 [ 23.231023] kasan_save_free_info+0x3f/0x60 [ 23.231319] __kasan_slab_free+0x56/0x70 [ 23.231840] kfree+0x123/0x3f0 [ 23.232275] kmalloc_uaf+0x12d/0x380 [ 23.232970] kunit_try_run_case+0x1b3/0x490 [ 23.233283] kunit_generic_run_threadfn_adapter+0x85/0xf0 [ 23.233627] kthread+0x257/0x310 [ 23.234037] ret_from_fork+0x41/0x80 [ 23.234644] ret_from_fork_asm+0x1a/0x30 [ 23.235055] [ 23.235236] The buggy address belongs to the object at ffff888102795320 [ 23.235236] which belongs to the cache kmalloc-16 of size 16 [ 23.236119] The buggy address is located 8 bytes inside of [ 23.236119] freed 16-byte region [ffff888102795320, ffff888102795330) [ 23.238794] [ 23.238985] The buggy address belongs to the physical page: [ 23.239505] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102795 [ 23.240926] flags: 0x200000000000000(node=0|zone=2) [ 23.241657] page_type: f5(slab) [ 23.242845] raw: 0200000000000000 ffff888100041640 dead000000000122 0000000000000000 [ 23.243396] raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 [ 23.244403] page dumped because: kasan: bad access detected [ 23.245120] [ 23.245453] Memory state around the buggy address: [ 23.245958] ffff888102795200: 00 05 fc fc 00 02 fc fc 00 02 fc fc 00 02 fc fc [ 23.247419] ffff888102795280: 00 02 fc fc fa fb fc fc fa fb fc fc fa fb fc fc [ 23.247960] >ffff888102795300: fa fb fc fc fa fb fc fc fc fc fc fc fc fc fc fc [ 23.248650] ^ [ 23.249117] ffff888102795380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.250169] ffff888102795400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 23.251345] ==================================================================